WebKit ROP Chain Tutorials [Creation/Editing/Debugging] - PS3 Development

Kitsumi said:
Writing works when the read-only attribute is removed from the file. It is created as read-only for some reason.

------------

Anyway, is it known how to decrypt and encrypt an official SPRX file? So that one could copy it from an OFW PS3, modify it and encrypt it back on PC, and then replace the file on the PS3 so that the modified one is loaded by the OFW. Are the keys known?
Click to expand...

the problem is the reencryption part. we can decrypt sprx files, but reencrypting them... the keys used for 3.55 were revoked, so the system won't accept encrypting them with those keys.
 
@zolyek
There is no need to gain root privileges because ROP execution inherits its privileges from the webkit thread which runs as root. In short, ROP already executes as root, this was never an issue.

Additionally, the ps3 OS is built upon BSD sources however there is no terminal available to run Unix-like commands from userland.
 
HellCoreMoDz said:
Dude when copying files that need to fill filesize right ? And what happend if i put wrong/nearly same with normal size ??
Click to expand...
If you put the wrong size then it will just copy the wrong amount of bytes and new file will not be correct.

In the tutorial template there is a chain for getting filesize, using sys_fs_stat syscall and reading the value at 0x28, you just supply it with source path. The easier way, and the way it's done in v3 is to get size and then use that value as the value in read/write syscalls automatically.

The tutorial files were left as is for people to learn in steps how the chains are done.
 
does anyone know much about the nor dump/write process and would it work on ofw 4.83. iv seen other threads about it for ofw 4.82 but that ship has sailed. cech2501b
 
Zmacfro said:
does anyone know much about the nor dump/write process and would it work on ofw 4.83. iv seen other threads about it for ofw 4.82 but that ship has sailed. cech2501b
Click to expand...
It's currently not possible to use the dumper/writer tools on 4.83, even if you manually update the offsets in the javascript.
A new way to trigger ROP execution needs to be found before those tools can work on 4.83.
 
bguerville said:
It's currently not possible to use the dumper/writer tools on 4.83, even if you manually update the offsets in the javascript.
A new way to trigger ROP execution needs to be found before those tools can work on 4.83.
Click to expand...
bguerville said:
It's currently not possible to use the dumper/writer tools on 4.83, even if you manually update the offsets in the javascript.
A new way to trigger ROP execution needs to be found before those tools can work on 4.83.
Click to expand...
ok, thankyou for your response
 
HellCoreMoDz said:
Dude last question how i use Get Files Size ?? And what i need press ?
Click to expand...
from drop down under File System -> Get File Size

choose source file and an alert will display size in hex

if you are interested as to where this is at in source, located in the files/js/api/defaults.js at line 1057
syscallAndExit(path_src_fp_addr,filesize_addr,0,0,0,0,0,0,sc_sys_fs_stat,temp_addr_8A,temp_addr_8B);
this is the syscall (sys_fs_stat). it puts returned hex at offset temp_addr_8A (0x8A000000)

when you press the exec ROP button it will prompt you to press again. It will then read from 0x8A000000+0x28, and the show size on screen (Line 2685 in defaults.js)
setTimeout(showFilesize(),2000);


EDIT:
HellCoreMoDz said:
When i press file transfer usb_0/to destination and it give me web error
Click to expand...
if you are referring to the PETT XMB Menu, then that option is not working and is still in test form. Most of the other options should work fine. That menu is mainly a PoC for testing cool/interesting things, syscalls, and other chains from XMB, which does work well lol
 
Last edited:
You must log in or register to reply here.

Similar threads

Back
Top